Hi Masoom, I assume your instance is connected to a tenant network that is attached to a router, and the router is attached to a publicly-accessible network? Are you able to hop into the router via ‘ip netns exec qrouter-xxxxx’ and initiate successful pings to the outside world? If that doesn’t work, your instance will not be able to get out, either. You may also want to ensure the floating IP is setup correctly within the qrouter namespace. You should see the IP configured as a secondary address on the ‘qg’ interface, and iptables rules are setup to handle the NAT.
I would look to resolve connectivity to your instance via the router before working on the VPN. Good luck! James From: masoom alam <masoom.a...@gmail.com<mailto:masoom.a...@gmail.com>> Date: Monday, September 29, 2014 at 4:52 AM To: "<openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>>" <openstack@lists.openstack.org<mailto:openstack@lists.openstack.org>> Subject: [Openstack] ssh cirros@<floating-ip> not working - what can be the possible reason Hi every one, Context: We are trying to setup a VPN site -to-site connection, but every time it show us down in the status. We have then decided to backtrack and find the problem. 1. We cannot sshcirros@<floating-ip>, however by using sudo ip netdns command, we can ssh to the private ip of the instance. Any clue why? 2. From within host which is running all-in-one Openstack setup, we can ping any public address such as google.com<http://google.com>, but from within CirrOS, we cannot do so. Any clue for this? 3. Please note that Neutron firewall is disabled and proper security group rules are in place such as the following: # create security profile for jump hostneutron security-group-create jumphost # Add rule to allow icmp inneutron security-group-rule-create --protocol icmp jumphost # Add rule to allow ssh inneutron security-group-rule-create --protocol tcp --port-range-min 22 --port-range-max 22 jumphost 4. traceroute commands from within Cirros to our public interface works well, but to google.com<http://google.com> is not working. I am wondering, host system firewall is disabled via "sudo ufw disable", neutron firewall is also disabled firewall_driver=nova.virt.firewall.NoopFirewallDriver what else? Another point, whenever we reboot neutron node, it destroys all the settings, nothing is there - you can say VM is no more usable - that is corrupted any pointers to this problem? Also adding a default gw by using the "sudo route add default gw <public address> eth0" will corrupt the VM :) Last but not the least, every example in the context of the VPNaaS takes a local network as an example, if we are having devstack nodes on two different nodes with two different public ip addresses, do we need to have a GRE tunnel in between them before going to site-to-site connection? I know it was mandatory for Racoon based ipsec tunnels. Please guide.
_______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
